Uninstalling AIR Responders

PreviousAIR Responder in Windows 'Safe Mode'NextSecurity

Last updated 1 month ago

Was this helpful?

Uninstalling AIR Responders

There are several ways to uninstall the AIR Responder from assets and these include using the AIR console or working on the actual asset.

It is important to understand that you should only remove the Responder if you have no intention of revisiting the asset for further investigations. If you do need to do so, then a fresh responder deployment will be needed.

From the Assets button in the Main Menu it is possible to select one or multiple assets and then, via the Bulk Action Bar, choose to either 'Uninstall a Responder' or to 'Uninstall responder and purge console data'.

It is also possible to uninstall a Responder from the individual asset's, Asset Info page by selecting the option from the Asset Actions drop-down menu:

The 'Uninstall Responder' will remove the AIR Responder application from any selected assets.

The 'Uninstall Responder and purge console data' option will remove the AIR Responder application from the selected assets and delete the data saved from the assets on the console. All associated Tasks (eg; Timeline) will also be deleted from the console. Data saved to Remote Storage, and locally saved data on the asset will remain intact. interACT or normal asset management tools can be used to remove this data.

Password Protection for AIR Responder Uninstallation

When the Uninstallation Password feature is enabled in AIR's settings, a protection password is required to uninstall the AIR Responder. This feature restricts the uninstallation process to command-line operations only, as uninstallation through the local operating system's user interface (UI) is disabled.

Here are the key points regarding this feature:

Command-Line Uninstallation: The AIR Responder must be uninstalled using shell commands. During this process, the protection password must be included as an argument. This can be executed either locally or through remote management tools like SCCM.
Local User Restrictions: Local users must have the protection password to uninstall the Responder. Without this password, uninstallation via local user interfaces is not possible.
UI and API Uninstallation: Uninstallation through the AIR UI or API does not require the protection password, allowing for more flexible management remotely.
Tamper Detection: AIR monitors and logs any tampering with the Responder. This includes actions like deletion, pausing, termination, or any interference, enhancing security and accountability.

This structured approach ensures that only authorized personnel can remove the AIR Responder, providing an additional layer of security against unauthorized tampering and ensuring compliance with security policies.

Delete Asset option

The Delete Asset button is available only for Disk Image asset types. For any other asset type, this option remains grayed out. When used, it simply removes the Disk Image of the asset from the console without affecting the asset itself.

As shown above, when attempting to delete assets in the system, certain restrictions apply based on the type of assets selected. For instance, if you select both a Windows asset and a Disk Image asset simultaneously, the "Delete Asset" option becomes unavailable (greyed out). This is because the Windows Asset is classified as non-deletable.

Key Details:

Non-Deletable Assets: Windows assets are considered non-deletable within this system due to their critical nature or specific configuration settings that prevent deletion.
Tooltip Information: When the "Delete Asset" option is greyed out, a tooltip will appear indicating that a non-deletable asset (the Windows Asset) has been selected, providing clarity on why deletion is restricted.

This design ensures that critical assets are protected from accidental deletion, enhancing the security and integrity of the system's data management.

Uninstalling on Windows assets

Graphical User Interface (GUI) Method

To gracefully uninstall the Responder application from your Windows operating system, follow these steps:

Navigate to the Control Panel.
Access the "Add/Remove Programs" feature.
Locate and select the Binalyze AIR Responder application from the list.
Choose the option to uninstall.

Command Prompt Method

You can also uninstall the Responder application using the command prompt with the following methods:

Using Product Code

To uninstall via the product code, execute the following steps:

Identify the product code of the Responder using PowerShell:

get-wmiobject Win32_Product | Sort-Object -Property Name | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

Copy the identified product code.
Uninstall the Responder using msiexec:

msiexec /x "{84662419-2FEB-48D0-AFBF-C174D871A3CA}"

Using Original MSI File

If you possess the original MSI file of the Responder, you can proceed as follows:

msiexec /x "C:\Users\hio\Downloads\AIR.Agent_2.25.0_air-dev.binalyze.com_44_4ce0820f14f6461a_amd64_.msi"

In either method, you can efficiently uninstall the Responder application from your system.

Uninstalling a Password-Protected Responder

To uninstall a password-protected Responder, you can specify your uninstall password with the property UNINSTALL_PASSWORD by using the command prompt with the following command:

msiexec /x "{84662419-2FEB-48D0-AFBF-C174D871A3CA}" UNINSTALL_PASSWORD="my-password"

Uninstallation File and Directory Cleanup Process

When uninstalling the Binalyze AIR Responder program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains. All of these files are deleted by the Responder before the service is deleted.

Utils Directory: The utils binaries located in the Responder's installation directory are removed. If the installation directory is C:\Program Files (x86)\Binalyze\AIR\agent, folder can be found in:
- C:\Program Files (x86)\Binalyze\AIR\agent\utils\
Upload Temporary Directory: The directory used for temporary storage of upload files is cleared. This can be found in one of the following paths.
- C:\Users\[user]\AppData\Local\Temp\BinalyzeUploadTemp
- C:\Windows\TEMP\BinalyzeUploadTemp
Update Temporary Directory: The directory used for temporary storage of update files is cleared. This file can be found in one of the following paths.
- C:\Users\[user]\AppData\Local\Temp\BinalyzeUpdateTemp
- C:\Windows\TEMP\BinalyzeUpdateTemp
Update Task Download Directory: The directory used for downloading MSI binaries, If the Windows system directory is C:\, the path can be found as follows.
- C:\BinalyzeUpdateTemp
Binalyze Temp Directories: If the temp location is C:\Windows\TEMP\, the paths can be found as follows.
- C:\Windows\TEMP\Binalyze
- C:\Windows\TEMP\BinalyzeTemp

On Windows systems, the program selects the first non-empty value from the environmental variables %TMP%, %TEMP%, %USERPROFILE%, or the Windows directory for temporary storage.

Uninstalling on Linux assets

On Ubuntu and Debian

Open a terminal window.
To uninstall the Binalyze AIR Responder package, use the following command:
sudo apt remove binalyze-air-agent
This command will uninstall the package.

On CentOS, Fedora, Redhat and similar distributions (using dnf)

Open a terminal window.
To uninstall the Binalyze AIR Responder package, run the following command:
sudo dnf remove binalyze-air-agent
This command will uninstall the package.

Uninstallation File and Directory Cleanup Process

When uninstalling the Binalyze AIR Responder program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains.

Drone Config File: Drone config file located in the Responder’s installation directory. If the installation directory is /opt/binalyze/air/agent, the file can be found in:
- /opt/binalyze/air/agent/DRONE.Config.yml
Utils Directory: The utils binaries located in the Responder's installation directory are removed before the uninstallation of the service. If the installation directory is /opt/binalyze/air/agent, the folder can be found in:
- /opt/binalyze/air/agent/utils
Upload Temporary Directory: The directory used for temporary storage of upload files is cleared. This folder can be found as follows.
- /var/lib/binalyze/BinalyzeUploadTemp
Update Temporary Directory: The directory used for temporary storage of update files is cleared. This folder can be found as follows.
- /var/lib/binalyze/BinalyzeUpdateTemp
Update Task Download Directory: The directory used for downloading deb or rpm binaries, If the Linux temp directory is /tmp, the folder can be found as follows.
- /tmp/BinalyzeUpdateTemp
Binalyze Temp Directories: If the temp location is /tmp, the folders can be found as follows.
- /tmp/Binalyze
- /tmp/BinalyzeTemp
Persistent Folder: The persistent folder can be found in:
- /var/lib/binalyze
Config File: Config file is located in the Responder’s installation directory. After deleting the Responder, the configuration file is deleted. If the installation directory is /opt/binalyze/air/agent the file can be found in:
- /opt/binalyze/air/agent/config.yml

On Linux systems, it returns $TMPDIR if non-empty, else /tmp.

Uninstalling on macOS assets

To initiate the uninstallation process for the Responder via the Terminal on macOS, execute the following command:

sudo /opt/binalyze/air/agent/air --uninstall

This command, executed within the Terminal, will seamlessly guide you through the removal of the Responder application from your macOS system.

Uninstalling a Password-Protected Responder

To uninstall a password-protected Responder, you can specify your uninstall password with the environment variable AIR_UNINSTALL_PASSWORD by using the command prompt with the following command:

AIR_UNINSTALL_PASSWORD="my-password" sudo -E /opt/binalyze/air/agent/air --uninstall

Uninstallation File and Directory Cleanup Process

When uninstalling the com.binalyze.air-agent program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains. All of these files are deleted by the Responder after the package info is deleted.

Utils Directory: The utils binaries located in the Responder's installation directory are removed before the uninstallation of the service. If the installation directory is /opt/binalyze/air/agent, the folder can be found in:
- /opt/binalyze/air/agent/utils
Binaries: If the installation directory is /opt/binalyze/air/agent, these files are located in:
- /opt/binalyze/air/agent/air
- /opt/binalyze/air/agent/tactical
- /opt/binalyze/air/agent/drone
Config File: This file is located in the Responder’s installation directory. If the installation directory is /opt/binalyze/air/agent, file can be found in:
- /opt/binalyze/air/agent/config.yml
Drone Config File: This file is located in the Responder’s installation directory. If the installation directory is /opt/binalyze/air/agent, the file can be found in:
- /opt/binalyze/air/agent/DRONE.Config.yml
Service File: This file can be found in:
- /Library/LaunchDaemons/com.binalyze.air-agent.plist
Upload Temporary Directory: The directory used for temporary storage of upload files are cleared. This folder can be found as follows.
- /var/lib/binalyze/BinalyzeUploadTemp
Update Temporary Directory: The directory used for the temporary storage of update files is cleared. This folder can be found as follows.
- /var/lib/binalyze/BinalyzeUpdateTemp
Update Task Download Directory: The directory used for downloading pkg binaries, if the unix temp directory is /tmp, the folder can be found as follows.
- /tmp/BinalyzeUpdateTemp
Binalyze Temp Directories: If the temp location is /tmp, the folders can be found as follows.
- /tmp/Binalyze
- /tmp/BinalyzeTemp
Persistent Folder: The persistent folder can be found in:
- /var/lib/binalyze

On Unix systems, it returns $TMPDIR if non-empty, else /tmp.

PreviousAIR Responder in Windows 'Safe Mode'NextSecurity

Last updated 1 month ago

Was this helpful?

There are several ways to uninstall the AIR Responder from assets and these include using the AIR console or working on the actual asset.

It is also possible to uninstall a Responder from the individual asset's, Asset Info page by selecting the option from the Asset Actions drop-down menu:

The 'Uninstall Responder' will remove the AIR Responder application from any selected assets.

Password Protection for AIR Responder Uninstallation

Here are the key points regarding this feature:

Command-Line Uninstallation: The AIR Responder must be uninstalled using shell commands. During this process, the protection password must be included as an argument. This can be executed either locally or through remote management tools like SCCM.
Local User Restrictions: Local users must have the protection password to uninstall the Responder. Without this password, uninstallation via local user interfaces is not possible.
UI and API Uninstallation: Uninstallation through the AIR UI or API does not require the protection password, allowing for more flexible management remotely.
Tamper Detection: AIR monitors and logs any tampering with the Responder. This includes actions like deletion, pausing, termination, or any interference, enhancing security and accountability.

Delete Asset option

Key Details:

Non-Deletable Assets: Windows assets are considered non-deletable within this system due to their critical nature or specific configuration settings that prevent deletion.
Tooltip Information: When the "Delete Asset" option is greyed out, a tooltip will appear indicating that a non-deletable asset (the Windows Asset) has been selected, providing clarity on why deletion is restricted.

This design ensures that critical assets are protected from accidental deletion, enhancing the security and integrity of the system's data management.

Uninstalling on Windows assets

Graphical User Interface (GUI) Method

To gracefully uninstall the Responder application from your Windows operating system, follow these steps:

Navigate to the Control Panel.
Access the "Add/Remove Programs" feature.
Locate and select the Binalyze AIR Responder application from the list.
Choose the option to uninstall.

Command Prompt Method

You can also uninstall the Responder application using the command prompt with the following methods:

Using Product Code

To uninstall via the product code, execute the following steps:

Identify the product code of the Responder using PowerShell:

get-wmiobject Win32_Product | Sort-Object -Property Name | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

Copy the identified product code.
Uninstall the Responder using msiexec:

msiexec /x "{84662419-2FEB-48D0-AFBF-C174D871A3CA}"

Using Original MSI File

If you possess the original MSI file of the Responder, you can proceed as follows:

msiexec /x "C:\Users\hio\Downloads\AIR.Agent_2.25.0_air-dev.binalyze.com_44_4ce0820f14f6461a_amd64_.msi"

In either method, you can efficiently uninstall the Responder application from your system.

Uninstalling a Password-Protected Responder

To uninstall a password-protected Responder, you can specify your uninstall password with the property UNINSTALL_PASSWORD by using the command prompt with the following command:

msiexec /x "{84662419-2FEB-48D0-AFBF-C174D871A3CA}" UNINSTALL_PASSWORD="my-password"

Uninstallation File and Directory Cleanup Process

Utils Directory: The utils binaries located in the Responder's installation directory are removed. If the installation directory is C:\Program Files (x86)\Binalyze\AIR\agent, folder can be found in:
- C:\Program Files (x86)\Binalyze\AIR\agent\utils\
Upload Temporary Directory: The directory used for temporary storage of upload files is cleared. This can be found in one of the following paths.
- C:\Users\[user]\AppData\Local\Temp\BinalyzeUploadTemp
- C:\Windows\TEMP\BinalyzeUploadTemp
Update Temporary Directory: The directory used for temporary storage of update files is cleared. This file can be found in one of the following paths.
- C:\Users\[user]\AppData\Local\Temp\BinalyzeUpdateTemp
- C:\Windows\TEMP\BinalyzeUpdateTemp
Update Task Download Directory: The directory used for downloading MSI binaries, If the Windows system directory is C:\, the path can be found as follows.
- C:\BinalyzeUpdateTemp
Binalyze Temp Directories: If the temp location is C:\Windows\TEMP\, the paths can be found as follows.
- C:\Windows\TEMP\Binalyze
- C:\Windows\TEMP\BinalyzeTemp

On Windows systems, the program selects the first non-empty value from the environmental variables %TMP%, %TEMP%, %USERPROFILE%, or the Windows directory for temporary storage.

Uninstalling on Linux assets

On Ubuntu and Debian

Open a terminal window.
To uninstall the Binalyze AIR Responder package, use the following command:
sudo apt remove binalyze-air-agent
This command will uninstall the package.

On CentOS, Fedora, Redhat and similar distributions (using dnf)

Open a terminal window.
To uninstall the Binalyze AIR Responder package, run the following command:
sudo dnf remove binalyze-air-agent
This command will uninstall the package.

Uninstallation File and Directory Cleanup Process

When uninstalling the Binalyze AIR Responder program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains.

Drone Config File: Drone config file located in the Responder’s installation directory. If the installation directory is /opt/binalyze/air/agent, the file can be found in:
- /opt/binalyze/air/agent/DRONE.Config.yml
Utils Directory: The utils binaries located in the Responder's installation directory are removed before the uninstallation of the service. If the installation directory is /opt/binalyze/air/agent, the folder can be found in:
- /opt/binalyze/air/agent/utils
Upload Temporary Directory: The directory used for temporary storage of upload files is cleared. This folder can be found as follows.
- /var/lib/binalyze/BinalyzeUploadTemp
Update Temporary Directory: The directory used for temporary storage of update files is cleared. This folder can be found as follows.
- /var/lib/binalyze/BinalyzeUpdateTemp
Update Task Download Directory: The directory used for downloading deb or rpm binaries, If the Linux temp directory is /tmp, the folder can be found as follows.
- /tmp/BinalyzeUpdateTemp
Binalyze Temp Directories: If the temp location is /tmp, the folders can be found as follows.
- /tmp/Binalyze
- /tmp/BinalyzeTemp
Persistent Folder: The persistent folder can be found in:
- /var/lib/binalyze
Config File: Config file is located in the Responder’s installation directory. After deleting the Responder, the configuration file is deleted. If the installation directory is /opt/binalyze/air/agent the file can be found in:
- /opt/binalyze/air/agent/config.yml

On Linux systems, it returns $TMPDIR if non-empty, else /tmp.

Uninstalling on macOS assets

To initiate the uninstallation process for the Responder via the Terminal on macOS, execute the following command:

sudo /opt/binalyze/air/agent/air --uninstall

This command, executed within the Terminal, will seamlessly guide you through the removal of the Responder application from your macOS system.

Uninstalling a Password-Protected Responder

To uninstall a password-protected Responder, you can specify your uninstall password with the environment variable AIR_UNINSTALL_PASSWORD by using the command prompt with the following command:

AIR_UNINSTALL_PASSWORD="my-password" sudo -E /opt/binalyze/air/agent/air --uninstall

Uninstallation File and Directory Cleanup Process

Utils Directory: The utils binaries located in the Responder's installation directory are removed before the uninstallation of the service. If the installation directory is /opt/binalyze/air/agent, the folder can be found in:
- /opt/binalyze/air/agent/utils
Binaries: If the installation directory is /opt/binalyze/air/agent, these files are located in:
- /opt/binalyze/air/agent/air
- /opt/binalyze/air/agent/tactical
- /opt/binalyze/air/agent/drone
Config File: This file is located in the Responder’s installation directory. If the installation directory is /opt/binalyze/air/agent, file can be found in:
- /opt/binalyze/air/agent/config.yml
Drone Config File: This file is located in the Responder’s installation directory. If the installation directory is /opt/binalyze/air/agent, the file can be found in:
- /opt/binalyze/air/agent/DRONE.Config.yml
Service File: This file can be found in:
- /Library/LaunchDaemons/com.binalyze.air-agent.plist
Upload Temporary Directory: The directory used for temporary storage of upload files are cleared. This folder can be found as follows.
- /var/lib/binalyze/BinalyzeUploadTemp
Update Temporary Directory: The directory used for the temporary storage of update files is cleared. This folder can be found as follows.
- /var/lib/binalyze/BinalyzeUpdateTemp
Update Task Download Directory: The directory used for downloading pkg binaries, if the unix temp directory is /tmp, the folder can be found as follows.
- /tmp/BinalyzeUpdateTemp
Binalyze Temp Directories: If the temp location is /tmp, the folders can be found as follows.
- /tmp/Binalyze
- /tmp/BinalyzeTemp
Persistent Folder: The persistent folder can be found in:
- /var/lib/binalyze

On Unix systems, it returns $TMPDIR if non-empty, else /tmp.